-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: crypto/elliptic: add A to CurveParams, allowing some cases of A != -3 #26776
Comments
@cag Hey.I wonder if your go fork has this curve supported. |
No, still exploring this issue, and whatever I implement first will likely not be timing side-channel secure. Also, wrt Curve25519, there is an IETF draft talking about the compatibility of that, Ed25519, and an equivalent Weierstrass form of it: https://tools.ietf.org/id/draft-struik-lwig-curve-representations-02.html
I was wrong. To paraphrase Wikipedia:
Regarding prime Koblitz curves: those weren't recommended by the NIST in FIPS 186. I got them from SECG's SEC 2. FIPS 186 calls secp256r1 the P-256 curve, which is what the name What I'd like to know is whether any of the following provides enough motivation for an elliptic.Curve expansion to the class of general short-form Weierstrass curves to be implemented in the golang standard lib:
|
Thanks to @collinc97 for implementing this for me! Note that allowing A to vary means changing only the doubling algorithm from this to this, as the addition algo is identical to the current implementation. This changes the cost from Anyway, |
@cag It is really a good news from you, and I really thank you for the contribuction.
Then i ran it and got the output:
May be my mistake? |
@sanguohot No mistake. Just that this is only the elliptic.Curve implementation stuff, not any of the PKI stuff supporting it. Thanks for the test case though! I suspect what's left is a simple matter of mapping the named curve enum to an ECDSA thingy backed by the appropriate curve, but I haven't looked into doing this yet. Sorry to get your hopes up so soon. Edit: with that said, be warned:
|
@cag Oh, it is a pity. |
@sanguohot I have just added tls support for secp256k1 on #26873
Let me know if you have any issues. |
@collinc97 Oh my god! |
@collinc97 @cag I got a problem.
I list the server's cipher suites
And the openssl supported
I test it using openssl s_client, and this is my code.
Everything seems ok.
Then I test it with the cipher suites supported.
Unluckly I get the error
And the server said:
cert files:
I have no idea now, would you give me some help please? |
I would be interested in this as it would allow ed25519 to be used as an elliptic.Curve with the appropriate conversion to Weierstrass form (if I understood correctly). The ed25519 package from x/crypto only exposes the signature interfaces, it does no expose point operations required for things like PAKE. At the very least it would be nice if the implementation wasn't nested in an internal package so that these operations could be built on top. |
Hello! I see that there's a PR to expose the A param - will this get merged at some point? |
I'd also love to have some news on this topic. It seems an easy fix, why is not merged yet? |
There seems to be two separate proposals here: making the generic CurveParams implementation more flexible, and adding support for more curves (or curve operations). I believe the generic CurveParams type was a mistake. Custom curves don't belong in the standard library, as most users should never ever use them. As a way to implement known curves, the CurveParams approach is suboptimal, because it requires generic, slow and non-constant time implementations. Indeed, the only elliptic.Curve you should use (NIST P-256) has a completely separate implementation. (But you can still shoot yourself in the foot by using As for adding curves, I'm not convinced they need to be in the standard library either. Surely there is a good secp256k1 implementation in the ecosystem due to its use in Bitcoin. As for Ed25519 curve operations, that might be worth doing if there's enough demand. Please open a new issue to discuss that specifically, as it would likely go into x/crypto/ed25519. (Although I would recommend using https://github.com/gtank/ristretto255 in new protocols instead.) Finally, BN256 is broken, so we can ignore it. There is an argument for providing a curve interface, but unfortunately |
I'm confused. You are saying that it is correct that only A = 0 curves are
legitimate in go standard library?
If I'm given a curve with A=Xa and B=Xb customly choosen by an external
entity, how can I cope with it?
Paolo
…On Fri, May 31, 2019, 13:13 Filippo Valsorda ***@***.***> wrote:
There seems to be two separate proposals here: making the generic
CurveParams implementation more flexible, and adding support for more
curves (or curve operations).
I believe the generic CurveParams type was a mistake. Custom curves don't
belong in the standard library, as most users should never ever use them.
As a way to implement known curves, the CurveParams approach is suboptimal,
because it requires generic, slow and non-constant time implementations.
Indeed, the only elliptic.Curve you *should* use (NIST P-256) has a
completely separate implementation. (But you can still shoot yourself in
the foot by using elliptic.P256().Params().) So no, I don't think we
should double down on the mistake by expanding CurveParams in the standard
library.
As for adding curves, I'm not convinced they need to be in the standard
library either. Surely there is a good secp256k1 implementation in the
ecosystem due to its use in Bitcoin. As for Ed25519 curve operations, that
might be worth doing if there's enough demand. Please open a new issue to
discuss that specifically, as it would likely go into x/crypto/ed25519.
(Although I would recommend using https://github.com/gtank/ristretto255
in new protocols instead.) Finally, BN256 is broken, so we can ignore it.
There is an argument for providing a curve interface, but unfortunately
elliptic.Curve hardcoded *big.Int in its method definitions, so I'm
afraid it's not the way forward, and I'll document that it's frozen to the
NIST curves. ***@***.*** <https://github.com/gtank> tried making an Ed25519
elliptic.Curve, and it was awkward and slow due to the API.)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#26776?email_source=notifications&email_token=ADYO7VN3XH7RTC4SAOWS4JLPYEB4LA5CNFSM4FNTP2ZKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWU54PA#issuecomment-497671740>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADYO7VIT2VIDMI3QH77JOZLPYEB4LANCNFSM4FNTP2ZA>
.
|
I am saying the standard library should provide specialized implementations of an opinionated small set of curves, not support for all possible curves. The latter belongs in a third-party project (which can absolutely start from the stdlib code, as it's BSD licensed). |
I went ahead and pulled the code from the PR out and put a usable version here (tests and example included): https://github.com/eliwjones/crypto The main secp256k1 stuff I see out and about are wrappers of C code. I have not seen a satisfactorily trustworthy native Go implementation.. so, if anyone knows of one, please post it here. |
Apparently there is one here: https://github.com/btcsuite/btcd/tree/master/btcec |
Part of #1003 We have to implement Koblitz-related math to recover keys properly with Neo.Cryptography.Secp256k1Recover interop as far as standard go elliptic package supports short-form Weierstrass curve with a=-3 only (see golang/go#26776 for details). However, it's not the best choise to have a lot of such math in our project, so it would be better to use ready-made solution for Koblitz-related cryptography.
Part of #1003 We have to implement Koblitz-related math to recover keys properly with Neo.Cryptography.Secp256k1Recover interop as far as standard go elliptic package supports short-form Weierstrass curve with a=-3 only (see golang/go#26776 for details). However, it's not the best choise to have a lot of such math in our project, so it would be better to use ready-made solution for Koblitz-related cryptography.
Part of #1003 We have to implement Koblitz-related math to recover keys properly with Neo.Cryptography.Secp256k1Recover interop as far as standard go elliptic package supports short-form Weierstrass curve with a=-3 only (see golang/go#26776 for details). However, it's not the best choise to have a lot of such math in our project, so it would be better to use ready-made solution for Koblitz-related cryptography.
Part of #1003 We have to implement Koblitz-related math to recover keys properly with Neo.Cryptography.Secp256k1Recover interop as far as standard go elliptic package supports short-form Weierstrass curve with a=-3 only (see golang/go#26776 for details). However, it's not the best choise to have a lot of such math in our project, so it would be better to use ready-made solution for Koblitz-related cryptography.
Implement secp256k1 and secp256r1 recover interops, closes #1003. Note: We have to implement Koblitz-related math to recover keys properly with Neo.Cryptography.Secp256k1Recover interop as far as standard go elliptic package supports short-form Weierstrass curve with a=-3 only (see golang/go#26776 for details). However, it's not the best choise to have a lot of such math in our project, so it would be better to use ready-made solution for Koblitz-related cryptography.
Implement secp256k1 and secp256r1 recover interops, closes #1003. Note: We have to implement Koblitz-related math to recover keys properly with Neo.Cryptography.Secp256k1Recover interop as far as standard go elliptic package supports short-form Weierstrass curve with a=-3 only (see golang/go#26776 for details). However, it's not the best choise to have a lot of such math in our project, so it would be better to use ready-made solution for Koblitz-related cryptography.
Implement secp256k1 and secp256r1 recover interops, closes #1003. Note: We have to implement Koblitz-related math to recover keys properly with Neo.Cryptography.Secp256k1Recover interop as far as standard go elliptic package supports short-form Weierstrass curve with a=-3 only (see golang/go#26776 for details). However, it's not the best choise to have a lot of such math in our project, so it would be better to use ready-made solution for Koblitz-related cryptography.
Implement secp256k1 and secp256r1 recover interops, closes #1003. Note: We have to implement Koblitz-related math to recover keys properly with Neo.Cryptography.Secp256k1Recover interop as far as standard go elliptic package supports short-form Weierstrass curve with a=-3 only (see golang/go#26776 for details). However, it's not the best choise to have a lot of such math in our project, so it would be better to use ready-made solution for Koblitz-related cryptography.
Implement secp256k1 and secp256r1 recover interops, closes #1003. Note: We have to implement Koblitz-related math to recover keys properly with Neo.Cryptography.Secp256k1Recover interop as far as standard go elliptic package supports short-form Weierstrass curve with a=-3 only (see golang/go#26776 for details). However, it's not the best choise to have a lot of such math in our project, so it would be better to use ready-made solution for Koblitz-related cryptography.
Implement secp256k1 and secp256r1 recover interops, closes #1003. Note: We have to implement Koblitz-related math to recover keys properly with Neo.Cryptography.Secp256k1Recover interop as far as standard go elliptic package supports short-form Weierstrass curve with a=-3 only (see golang/go#26776 for details). However, it's not the best choise to have a lot of such math in our project, so it would be better to use ready-made solution for Koblitz-related cryptography.
The following addition to
CurveParams
is proposed:The groups from bn256 can be considered instances of elliptic.Curve with this modification, being Koblitz curves with A = 0, B = 3. I suspect the G1 implementation can be repurposed as a general variable-time implementation for A = 0 curves, as the implementation derives from the study of this class of curves, which only assumes that A = 0.
Some support for the named Koblitz curves in SEC 2 can also be added (so A = 0 or A = -1 (mod P) also possible).
Parsing X.509 keys which use these curves with crypto/x509 should also work. This means keys and certificates which use the Koblitz curves will be supported by the tls module. Refer to RFC 4492 Section 5.1.1 for their corresponding enum values.
See also #6782 and #26187
Also would like to remark that all Montgomery curves admit a Weierstrass form (and the computational speedup for computing operations on e.g. Curve25519, can be thought of as implementation details). In fact, all elliptic curves could be correctly implemented by elliptic.Curve with this modification.Curve/Ed25519 is isomorphic to a curve group defined by a short Weierstrass form equation, but this is not the case in general.The text was updated successfully, but these errors were encountered: